Posted
by
timothy
on Tuesday March 29, 2011 @10:00PM
from the why-cry-over-spilt-milk-oil-and-data? dept.

Oxford_Comma_Lover writes "CNN Reports that BP lost a laptop with the name, address, DOB, and SSNs of everyone who filed claims related to the big oil spill last year. In other words, everyone asking for money from them based on the spill just got their private info misplaced. There has been no allegation of bad faith."

And let this be a lesson for anyone else who would seek to extort money from those fine humanitarians at British Petroleum.

Coincidentally, I saw this earlier today:

(Reuters) - Shares in oil major BP fell on Tuesday on a report the company's managers could face manslaughter charges following the Gulf of Mexico oil spill, which could lead to much higher fines over the disaster.

How about an additional answer: consider well what data you carry on a mobile device.

I have serious difficulty figuring out what scenario was in play that required this particular data to be on a laptop in the first place. Some mobile sales guy needed the data to plug in at a hotel conference room and make a presentation? Some jet-setting bigwig needed to massage the data and do some data-mining while on a trans-oceanic flight?

Even if the laptop's user was tasked with "visit each of these people individually and tell them 'no' in plain English", the data should have been partial and redacted.

Sorry, but corporations - like the human beings they're comprised of - put data on theft-prone devices that shouldn't be there in the first place. Encrypted or not.

I have serious difficulty figuring out what scenario was in play that required this particular data to be on a laptop in the first place. Some mobile sales guy needed the data to plug in at a hotel conference room and make a presentation? Some jet-setting bigwig needed to massage the data and do some data-mining while on a trans-oceanic flight?

The obvious use that comes to mind would be a field agent going out to a town meeting where claimants are asked to come and discuss any issues they have with their i

Which utterly fails to explain why they have the date of birth, much less social security number. If they can provide a valid photo ID with their name on it to prove their identity that ought to be good enough. You might argue for a masked SSN to differentiate Joe Smith #1 and Joe Smith #1, but name and address ought to be good enough for that; if they live at the same house you can probably treat them as part of the same household. And if not, take out a pen and paper and write a goddamned exception rat

Which utterly fails to explain why they have the date of birth, much less social security number. If they can provide a valid photo ID with their name on it to prove their identity that ought to be good enough. You might argue for a masked SSN to differentiate Joe Smith #1 and Joe Smith #1, but name and address ought to be good enough for that; if they live at the same house you can probably treat them as part of the same household. And if not, take out a pen and paper and write a goddamned exception rather

And delete that personally identifiable information from the lappy every evening. What, is this rocket surgery? I thought I was reading "news for nerds about stuff that matters!" Where did all the programmers go?

You sound like you were raised by Steve Ballmer and rocked to sleep each night by a loving marketing brochure. Lay it on a bit thicker, will you?

That said, disk encryption(almost certainly full disk; because you Do Not Want to have to puzzle out all the possible locations that a modern OS and suite of common programs may stash temporary files, caches, etc.) is more or less a must for sensitive information that leaves the site. It reduces the hazards of sloppy disposal even for desktops that are only supposed to leave the building at EOL.

You can get disks that do it in hardware, there are a variety of software options; but it is pretty much the bare minimum of responsible handling of sensitive data. Even better, of course, is never actually having the data on the device in the first place. With the comparatively low cost of broad internet coverage today, forcing people working on really sensitive stuff to do so only in a terminal session that actually lives on a nice cozy server back in your locked cage, with only pictures and input device events going back and forth over the (SSL secured) wire is fairly practical and means that even a badly rooted client is limited to some screengrabs and a stolen client gets nothing but a stock OS with one of the terminal clients installed.

3g mobile is far from cheap and some area the speeds may to low to have a good VPN / remote speed and the cost over 5GB is like $10 + per GB and don't even think about roaming Adam Savage hit $11,000 just with a few hours of web surfing in Canada on a iphone.

Are we? Did we get transported back to 1998? Think I'll put a few hundred on the Broncos!
Darn! I've checked. It's 2011 and you're an ignorant, fat, bigoted asshat.

BP acquired Amoco. That doesn't change the fact that they still have a ton of money they can use for securing important data. In the future why don't you take some time to explain whatever point you're trying to make instead of casting bile everywhere.

You sound like you were raised by Steve Ballmer and rocked to sleep each night by a loving marketing brochure. Lay it on a bit thicker, will you?

Naw, if the AC in question had been actually shilling for M$ instead of just parodying our recent influx of Microsoft shills, he'd have said that the whole incident could have been prevented by not hosting any of the data on the laptop in the first place. Bitkeeper was last year's buzzword. This year's buzzword appears to be all about yelling "To the Cloud!"

Or if you'd rather not spend the cost of a game console on an operating system just to use its OS-specific encryption, just use Truecrypt, a multi-platform encryption solution that costs $0 and can do everything BitLocker can and more.

Yes, my Windows machine runs exclusively Microsoft. None of that 'Firefooks' and 'Googlidoo' for me. Only Microsoft. Microsoft and Adobe. Yes, Microsoft and Adobe.. and Java.. these three programs I run on my Windows machine. There's no reason to run anything else. And your machine stays squeaky clean. For safe computing use only Microsoft recommended products. Four out of five dentists agree..

Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check. So, besides toting your social security card and your birth certificate around with you to prove your identity, it's more convenient to use a state issued ID. In this example, I used a driver's license as a quick example of a state issued identification card with a number, since ALL states use a unique number on these cards, be it a driver's license or a plain ID card.

Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check.

Most banks use some form of identity verification. However, at least the last bank account I opened, this did not involve the presentation of any physical paperwork. I certainly didn't need a birth certificate, I simply told them my SSN, and I didn't present any state issued ID. IIRC, when I opened a bank account back in the 80s I had to go through something like that, but not recently. As for check-cashers, I assume you're talking about people to stand around in the bank talking to people who go in? D

But are they more unlikely to have a passport [gyford.com] or be functionally literate [usatoday.com]? For this shitty country's brainwashed masses to take their own unearned "exceptionalism" as an article of faith is just hilarious in the face of the facts.

For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).

The problem is tax evasion. There's a million "bubba gump shrimp boats" down there, that "on paper" never make more than a couple K of taxable income per year. But under the table they were absolutely raking it in. Cash sales to restaurants. Cash sales at the pier to brokers. Cash sales to general public and/or local fisherman whom happen to be at the pier. The only guy in LA with more cash than a dealer is a fishing boat owner. Now with the spill, there is a huge dilemma of how much money they should get from B.P., what they actually made, or what they reported to the IRS.

I'm told by relatives in LA that the IRS takes people down because they are so dumb that they buy diesel for their boat on a credit card, so its easily tracked, and they spend more money JUST ON DIESEL than they report as gross income to the IRS. Theres a whole folklore as to which marina cooperates with the feds and which marinas take cash for fuel, and how its better to buy diesel at a "gas" station for cash, pay the diesel road tax, and pour it into your boat, than to get busted, apparently offroad has a dye added so you can't burn it onroad, and boat owners buy the dye to make it look like they're burning marina diesel instead of truck diesel.

That gives some idea of how bad the tax evasion is down there. I would not be surprised if this is all a show, and the laptop mysteriously is found in the local IRS office.

I thought the dye just indicated it was NOT taxed for road use. Meaning if a truck on the road HAS the dye, the get in trouble. However if you use that fuel off road(on water count as off road?) You don't get in trouble for paying a tax that you didn't need to.

I guess my question is who is out there checking for fuel that was taxed, in a situation where the tax was not required?

In addition to that, my understanding of that dye, is that it tends to stay in the tank, even after re-filling with non-dye fuel. S

The same reason any non-government entity needs it: because it would be more convenient if you had a government-issued serial number, and the closest thing you have to that is your SSN, which they have no right to whatsoever.

Any sufficiently big level of stupidity is indistinguishable from malice:)

Actually it is better for you to assume malice than stupidity, because if you go after a fool, he kinda sorta deserved it anyway, if you think a malicious enemy is stupid, you are gonna pay twice for being fool yourself. Game theory in action.:)

Was it not encrypted? How long after it was "discovered" missing was it remotely disabled? Were they able to wipe it? Why do you keep this type of data on a personal laptop?
Seriously BP, you guys make a lot of cash, care to tell us how much of this is going into your IT infrastructure to prevent this from happening?

Oh, IT told them how to securely store the data on the laptop. Him being at the executive level, promptly ignored IT directives because it was "too complicated".

I'm in a large organization, it's INCREDIBLE what hoops IT makes little ol me jump through to do things on my laptop but Executives routinely able to do and get the most insane stuff happening on their laptop. Autologin because they keep forgetting their passwords? No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....you have ANY idea how fricken hard it is to keep track of not only the main login but all the subsystems we use?

Oh, what's that? the exec has autologin with roboform installed? And this is allowed HOW? Oh right, they're the execs.

No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....

I read an editorial a long time ago in the Wall Street Journal, written by a security consultant. The executive had three secretaries working for him, and they had to use the PCs from each other. The executive proudly stated that the passwords needed to be changed every week!

The consultant said that no one could deal with a different password every week. He did a MacGuyver, and used a pocket knife to open the drawers in one of the secretary's desk. There were the passwords, all written down and stored in the top drawer.

The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

The worst part of your story is the actual failure mode is failure to understand the difference between encryption and authentication.

You're "supposed" to share encryption keys to transfer data, and you've got a huge known plaintext problem with encryption. So you have to change keys / passwords every week or whatever.

In comparison, the only person that knows your authentication password is one human. The computer, if done correctly, only knows a salted hash. Changing passwords is cargo cult science, it pointless. Its applying a solution from one problem to a completely unrelated problem. And it makes it worse by making password changing and resetting common and trivialized (in addition to making human management of passwords so difficult that they subvert the system as per your report). Finally it feeds illogic and stupidity, in that good security can be a PITA, therefore anything that is a PITA must be good security, right, and the more of a PITA it is the better the security must be?

If the password doesn't get mangled into an encryption key somehow, it's not protecting anything. "Password Protection" on a laptop is like putting up a forty-foot high steel (.. colored.. plastic..) door next to a patio and hoping thieves are too distracted by the door to notice it's not actually enclosing anything.

Does it seem odd to you that TFA does NOT say that the lost laptop HAS been disabled? It looks a bit queer to me that BP wouldn't want to say THAT, if that was true. And so they did not say that, I assume it is not true. That could mean the laptop is out of range or destroyed, or it could have stolen by somebody smart enough to open it up and remove the hard drive rather than just punch the power button.

There hasn't been much coverage lately of how the independent engineering team decided the blowout prevention valve's malfunction was to blame and not some active corporate malfeasance after all. On the other hand, there also hasn't been much coverage of how BP owns a lot of the oil facilities in Libya that the US military is now busy defending.

It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.

Shit happens! Seems like they are doing appropriate damage control (by offering free credit monitoring to affected people). And hopefully, as soon as it comes online if it gets turned on by a novice finder/stealer, it will be wiped/locked by the company's software agent.

Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary. It should be treated like any other company laptop loss, except in this case it had a copy of some rather news-worthy data.

It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.

Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens./eyeroll

That whooshing sound you heard when you read the summary was the whole point going over your head. The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.

Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary.

Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens./eyeroll

The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.

You would never know that with the ruckus everyone here was raising at the start of the thread.
And by the way - you conveniently ignored the fact that they are doing damage control.

If the data is sensitive, it shouldn't be copied, it should be accessible in such a way that they can do this without requiring an individual copy of the entire database on the laptop. Alternately, if this isn't feasible for the task that needs to be done on that laptop, then much higher levels of security should be required and extra care should be taken to ensure that the machines that do have the data are not stolen or lost.

This is only "nothing out of the ordinary" is the sense that irresponsible behavior and gross negligence are nothing out of the ordinary at BP.

There is a lot of difference between theory and practice. You would know that if you work for a big organization. I am not condoning the lack of precautions on the executive's part -- the executive needs to reprimanded properly, but all I am saying is that this stuff happens.
True BP may be bad and evil, but this does not mean t

As I said earlier, I am sure that the info is encrypted on the laptop -- it will probably be inaccessible without a proper key. And if the machine comes on, they will be able to wipe it before the OS loads.

Big organizations usually do hedge for such scenarios and have precautions and procedures in place in such events. You don't think they supply their executives with plain vanilla laptop with Windows on it with no serious authentication measures?

What makes you so sure that the info is encrypted on the laptop? Are you assuming that it is? Does the article state that it is?

I said there is a high probability not that I am completely sure. Are you aware of how organizations work with their IT infrastructure? Or do you just think that they buy computer stuff and distribute it to their employees?
Any big organization will have a plan in place for such an event as this -- it is fairly common to expect that laptops can be stolen/misplaced. And that I can be 100% sure that they have some procedure and definitely some protection layers for the data.

Have you ever heard of data getting illicitly retrieved off of stolen laptops? Happens all the time. It seems to me that assuming that they actually did encrypt all sensitive data without knowing that for a fact is incredibly naive.

In my mind it seems like a failure in security to have this quantity of personal information on a laptop. If someone needs quick access to it then it should be in a database back in home base with some canned queries for whatever functions are typically needed. This approach should be sufficient anywhere that an internet connection exists. I've never used one myself but my understanding is that these days you can purchase USB sticks that connect to the internet from anywhere in reach of a cell tower and

Understatement! At Symantec we didn't even let executives just download all the end-of-quarter high-value orders, and that information was vital to timely earnings estimates! We built them a reporting rdbms with "some canned queries" just like you said, which they could access via VPN or from their offices around the world. But the Finance Department did not offer the whole f'ing database to anybody to take from The Company's offices. That shit just isn't done with valuable data -- data that The Company v

Ahhh yes policy. I take it you don't work in IT? IT policies in most companies are generally widely regarded as a waste of time to write and are rarely followed. I mean I work for a multinational company who actually had to send out an email communication to all staff saying, "Yes downloading 5GB of porn on your lunchbreak is definitely a breach of the terms of services, which incidentally are longer than a typical EULA and expressly state things such as never keep company information on the desktop, my doc

You make it sound like the end user knows the difference. The policy basically is a catch all to not keep any data anywhere except our personal drives, which they provide us access to from anywhere in the world anyway. I mean we don't go a week without hearing that someone lost a laptop of social security numbers, a customer database, a list of voters, etc. Are you saying these companies all had no IT policy to not to keep sensitive data on a laptop/usb stick?

At this point is there any expectation that actions like this will carry consequences outside of an apology for a company like BP? After the oil spill, the Texas incident and their subsequent handling of both - it seems like an issue like this will disappear from the media's attention span in short order.

It doesn't happen that often, but each and every time I read a story about a laptop being lost that held critical information, I'm asking myself the same question: How do you lose a laptop?! I've never personally heard of anyone losing a laptop. Not even misplacing one. One got stolen, but I wouldn't count this as "lost", although it is a loss.

I'm always amazed at the communities limited understanding of the media world and how it does its reporting. The media is reporting how BP is treating the issue, not what has actually happened. BP is handling this in a worst case scenario: the laptop has been stolen/lost, the information on the laptop has been compromised, and the individual responsible is maliciously using the claimants information in a mischievous way. They have only confirmed they do not have in their possession a laptop with claims info

In the age of uniquitous connectivity, why is it that this data is stored locally on a laptop? BP surely has boocoo IT infrastructure, so why didn't they just set up a secure website that their minions could've used to input people's data instead of storing it in Excel on a laptop where it could be lost? Seems to me that it'd be a lot more difficult to lose the data when it's sitting on your SAN which is probably in an access restricted datacenter. Asshats...

Why would someone store data on a laptop? Connect through a secure link and get your data from a server that can't be lost. Hacked maybe, but not lost. For crying-out-loud; some IT folks are Duh and not WINNING. Storing shit on a laptop is just retarded. Don't care it is retarded. Store it on a server. I do and Duh, WINNING!

...you think this tidbit from the article might have been included in the teaser. Lojack for laptops, encryption and passwords should be required for any company or academic laptop containing sensitive information.